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IN THE CLAIMS 

Please amend the claims as follows: 



1 . (Currently Amended) A method for enabling secure communications between an 
implantable medical device (IMD) and an external device (ED) over a telemetry channel, 
comprising: 

implementing a telemetry interlock which limits any cormnunications between the ED 
and the IMD over the telemetry channe l wherein a data communications session over the 
telemetry channel can be estabhshed which allows transmission of data from the IMP to the ED 
if the telemetry interlock is not released, but programming of the IMD by the ED cannot be 
performed unless the telemetry interlock is released ; 

releasing the telemetry interlock by transmitting an enable command to the IMD via a 
short-range communications channel requiring physical proximity to the IMD; 

authenticating the IMD to the ED when the ED receives a message from the IMD 
evidencing use of an encryption key expected to be possessed by the IMD; 

authenticating the ED to the IMD when the IMD receives a message from the ED 
evidencing use of an encryption key expected to be possessed by the ED; and, 

allowing a data communications session between the IMD and ED over the telemetry 
channel to occur only after the IMD and ED have been authenticated to one other. 



2. (Original) The method of claim 1 wherein the ED and the IMD are authenticated to one 
another using public key cryptography by: 

authenticating the IMD to the ED when the ED encrypts a first message with a pubhc key 
having a corresponding private key expected to be possessed by the IMD, transmits the 
encrypted first message over the telemetry channel to the IMD, and receives in response a 
message from the IMD derived from the first message which thereby evidences possession of the 
corresponding private key by the IMD; and, 

authenticating the ED to the IMD when the IMD encrypts a second message with a pubUc 
key having a corresponding private key expected to be possessed by the ED, transmits the 
encrypted second message over the telemetry channel to the ED, and receives in response a 
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message from the ED derived from the second message which thereby evidences possession of 
the corresponding private key by the ED. 



3. (Currently Amended) The method of claim 2 wherein the message derived from the first 
message sent by the IMD or ED for authentication includes the first message and wherein the 
message derived from the second message sent by the IMD or ED for authentication includes the 
second message. 

4. (Original) The method of claim 2 wherein the first and second messages include random 
nimibers generated by the ED and IMD, respectively. 

5. (Original) The method of claim 2 wherein the first and second messages include identity 
codes for the ED and IMD, respectively. 

6. (Original) The method of claim 2 wherein the messages derived from the first and second 
messages and which are transmitted by the IMD and ED, respectively, are encrypted using the 
pubUc keys of the ED and IMD, respectively. 

7. (Original) The method of claim 2 wherein the message derived from the first message which 
is transmitted by the IMD includes the second message. 

8. (Original) The method of claim 1 fixrther comprising encrypting communications between 
the ED and IMD during the data communications session. 

9. (Original) The method of claim 2 fiirther comprising encrypting communications between 
the ED and IMD during the data communications session with secret key cryptography, wherein 
the secret key data commimications session is established by one of either the ED or the IMD 
fransmitting to the other of either the ED or the IMD a secret session key encrypted by the 
latter's public key. 
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10. (Original) The method of claim 1 wherein one of either the ED or the IMD is designated as a 
session instigator and the other of the ED or IMD is designated as a session recipient, the ED and 
the IMD are authenticated to one another using public key cryptography, and authentication is 
accomplished by: 

the instigator encrypting a first message with a public key having a corresponding private 
key expected to be possessed by the recipient, wherein the first message includes an identity 
code for the instigator and a random number Ra, 

the instigator transmitting the encrypted first message over the telemetry channel to the 
recipient; 

the recipient decrypting the first message with its private key, looking up a public key 
having a corresponding private key expected to be possessed by the instigator using the identity 
code contained in the first message, and encrypting a second message with the public key of the 
instigator, wherein the second message includes an identity code for the recipient, the random 
number Ra, and a second random number Rb; 

the recipient transmitting the encrypted second message over the telemetry channel to the 
instigator; 

the instigator decrypting the second message with its private key corresponding to the 
public key used to encrypt the second message and verifying that the second message contains 
Ra to thereby authenticate the recipient; 

the instigator encrypting a third message derived from the second message with the 
pubHc key of the recipient, wherein the third message includes the random number Rb; 

the instigator transmitting the encrypted third message over the telemetry chaimel to the 
recipient; and, 

the recipient decrypting the third message with its private key corresponding to the public 
key used to encrypt the third message and verifying that the third message contains Rb to thereby 
authenticate the instigator. 
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1 1 . (Original) The method of claim 10 further comprising encrypting communications between 
the instigator and the recipient during the data communications session with secret key 
cryptography, wherein the secret key data communications session is established by the 
instigator transmitting to the recipient a secret session key encrypted by the recipient's public 
key. 

12. (Original) The method of claim 1 1 wherein the secret session key is contained in the third 
message transmitted by the instigator. 

13. (Original) The method of claim 1 wherein the ED and the IMD are authenticated to one 
another using secret key cryptography by: 

authenticating the IMD to the ED when the ED transmits a first message to the IMD over 
the telemetry channel and receives in response a message derived from the first message which is 
encrypted by a secret key expected to be possessed by the IMD; 

authenticating the ED to the IMD when the IMD transmits a second message to the ED 
over the telemetry channel and receives in response a message derived from the second message 
which is encrypted by a secret key expected to be possessed by the ED. 

14. (Original) The method of claim 1 wherein, after a data communications session ends, the 
telemetry interlock is re-activated to limit communications over the telemetry channel until the 
telemetry interlock is again released. 

15. (Original) The method of claim 1 wherein no communications between the ED and IMD are 
allowed to occur until the telemetry interlock is released. 

16. (Canceled) 



17. (Original) The method of claim 1 wherein the telemetry chaimel is a far-field radio- 
frequency communications link. 
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18. (Original) The method of claim 1 wherein the telemetry channel includes an internet link. 

19. (Original) The method of claim 1 wherein the short-range communications channel is an 
inductive communications link between the IMD and another device. 

20. (Original) The method of claim 1 wherein the short-range communications channel is a 
switch within the IMD which is actuated by a magnet held in close proximity to the IMD to 
thereby release the telemetry interlock. 

21 . (Currently Amended) A method for enabling secure communications between an 
implantable medical device (IMD) and an external device (ED) over a telemetry channel, 
comprising: 

implementing a telemetry interlock which is released by transmitting an enable command 
to the IMD via a short-range communications channel requiring physical proximity to the IMD; 
and, 

limiting data communications between the IMD and ED over the telemetry channel until 

the telemetry interlock has been release d, wherein a data communications session over the 
telemetry channel can be established which allows transmission of data irom the IMP to the ED 
if the telemetry interlock is not released, but programming of the IMD by the ED cannot be 
performed unless the telemetry interlock is released . 

22. (Original) The method of claim 21 wherein, after a data communications session over the 
telemetry chaimel ends, the telemetry interlock is re-activated to limit communications over the 
telemetry chaimel until the telemetry interlock is again released. 



23. (Original) The method of claim 21 wherein no communications between the ED and IMD 
are allowed to occur over the telemetry channel until the telemetry interlock is released. 
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24. (Canceled) 

25. (Original) The method of claim 21 wherein the short-range communications channel is an 
inductive communications link between the IMD and another device. 

26. (Original) The method of claim 21 wherein the short-range communications channel is a 
switch within the IMD which is actuated by a magnet held in close proximity to the IMD to 
thereby release the telemetry interlock. 

27. (Currently Amended) A method for enabling secure communications between an 
implantable medical device (IMD) and an external device (ED) over a telemetry channel, 
comprising: 

authenticating the MD to the ED when the ED receives a message from the IMD 
evidencing use of an encryption key expected to be possessed by the IMD; 

authenticating the ED to the IMP when the IMD receives a message from the ED 
evidencing use of an encryption key expected to be possessed by the ED: and. 

allowing a data communications session b e tw ee n the IMD and ED ov e r th e t e l e m e try 
chann e l to occur only aft e r th e IMP has b ee n auth e nticat e d to the ED limiting commimications 
between the IMP and the ED such that a data communications session over the telemetry 
channel can be established which allows transmission of data from the IMD to the ED if the ED 
has not been authenticated to the IMD. but programming of the IMD by the ED cannot be 
performed unless the ED has been authenticated to the IMD . 

28. (Canceled) 

29. (Currently Amended) The method of claim 2% 27 wherein the ED and the IMP are 
authenticated to one another using public key cryptography by: 

authenticating the IMP to the EP when the EP encrypts a first message with a public key 
having a corresponding private key expected to be possessed by the IMP, fransmits the 
encrypted first message over the telemefry channel to the IMP, and receives in response a 
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message from the IMD derived from the first message which thereby evidences possession of the 
corresponding private key by the IMD; and, 

authenticating the ED to the IMD when the IMD encrypts a second message with a pubUc 
key having a corresponding private key expected to be possessed by the ED, transmits the 
encrypted second message over the telemetry channel to the ED, and receives in response a 
message from the ED derived from the second message which thereby evidences possession of 
the corresponding private key by the ED. 

30. (Currently Amended) The method of claim 28 27 wherein the ED and the IMD are 
authenticated to one another using secret key cryptography by: 

authenticating the IMD to the ED when the ED transmits a first message to the IMD over 
the telemetry channel and receives in response a message derived from the first message which is 
encrypted by a secret key expected to be possessed by the IMD; 

authenticating the ED to the IMD when the IMD transmits a second message to the ED 
over the telemetry channel and receives in response a message derived from the second message 
which is encrypted by a secret key expected to be possessed by the ED. 



3 1 . (Currently Amended) A method for enabling secure communications between an 
implantable medical device (IMD) and an external device (ED) over a telemetry channel, 
comprising: 

authenticating the ED to the IMD when the IMD receives a message from the ED 
evidencing use of an encryption key expected to be possessed by the ED; and, 

allowing a data communications session b e tween th e IMD and ED ov e r th e t e l e m e try 
chann e l to occur only aft e r th e ED has b e en auth e nticat e d to the IMD 

limiting communications between the IMD and the ED such that a data communications 
session over the telemetry channel can be established which allows transmission of data from the 
IMD to the ED if the ED has not been authenticated to the IMP, but programming of the IMD by 
the ED cannot be performed unless the ED has been authenticated to the IMD . 
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32. (Currently Amended) A system for enabling secure communications between an 
implantable medical device (IMD) and an extemal device (ED) over a telemetry channel, 
comprising: 

means for implementing a telemetry interlock which limits any communications between 
the ED and the IMD over the telemetry channel such that a data communications session over the 
telemetrv channel can be established which allows transmission of data from the IMD to the ED 
if the telemetrv interlock is not released, but programming of the IMD bv the ED cannot be 
performed unless the telemetrv interlock is released : 

means for releasing the telemetry interlock by transmitting an enable command to the 
IMD via a short-range communications channel requiring physical proximity to the IMD; 

means for authenticating the IMD to the ED when the ED receives a message from the 
IMD evidencing use of an encryption key expected to be possessed by the IMD; 

means for authenticating the ED to the IMD when the IMD receives a message from the 
ED evidencing use of an encryption key expected to be possessed by the ED; and, 

means for allowing a data communications session between the IMD and ED over the 
telemetry channel to occur only after the IMD and ED have been authenticated to one other. 

33. (Currently Amended) A system for enabling secure communications between an 
implantable medical device (IMD) and an extemal device (ED) over a telemetry channel, 
comprising: 

means for implementing a telemetry interlock which is released by transmitting an enable 
command to the IMD via a short-range communications channel requiring physical proximity to 
the IMD; and, 

means for limiting data communications between the IMD and ED over the telemetry 
chaimel until the telemetry interlock has been released such that a data communications session 
over the telemetrv channel can be established which allows transmission of data from the IMP to 
the ED if the telemetrv interlock is not released, but programming of the IMD bv the ED cannot 
be performed unless the telemetrv interlock is released . 
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34. (Original) The system of claim 33 wherein the short-range commimications channel is an 
inductive communications link between the IMD and another device. 



35. (Original) The system of claim 33 wherein the short-range communications channel is a 
switch within the MD which is actuated by a magnet held in close proximity to the IMD to 
thereby release the telemetry interlock. 



